<?php #//v.3.3.0

#///////////////////////////////////////////////////////
#//  COPYRIGHT 2004 Phpauction.org ALL RIGHTS RESERVED//
#///////////////////////////////////////////////////////

require('./includes/config.inc.php');
require('./includes/messages.inc.php');
#// If user is not logged in redirect to login page
if(!isset($_SESSION["PHPAUCTION_LOGGED_IN"])) {
	Header("Location: user_login.php");
	exit;
}

if ($_SERVER['REQUEST_METHOD']=="POST") {
	if($_POST['TPL_rater_nick'] && $_POST['TPL_password'] && $_POST['TPL_feedback'] && is_array($_POST['dofeed'])) {
		$sql="SELECT id, nick, password FROM PHPAUCTIONXL_users WHERE nick=\"" .AddSlashes($_POST['TPL_rater_nick'])."\"";
		$resrater=mysql_query ($sql);
		if (mysql_num_rows($resrater)>0) {
			$arr=mysql_fetch_array ($resrater);
			if ($arr['password']  == md5($MD5_PREFIX.$_POST['TPL_password'])) {
				foreach($_POST['dofeed'] as $k=>$key) {
					$auction_id=$_POST['TPL_auction'][$key];
					$rated_id=$_POST['TPL_sellbuy'][$key];
					$sql="SELECT rate_sum, rate_num FROM PHPAUCTIONXL_users WHERE id='$rated_id'";
					$res2=mysql_query ($sql);
					if ($res2) {
						$arr=mysql_fetch_array ($res2);
						$sql = "SELECT * FROM PHPAUCTIONXL_feedbacks
											WHERE rated_user_id=$rated_id 
											AND rater_user_nick='" .AddSlashes($_POST['TPL_rater_nick'])."' 
											AND rate=" .$_POST['TPL_rate'];
						$resrater = mysql_query ($sql);
						if (mysql_num_rows($resrater) >= 0) {
							$arr['rate_sum'] += intval($_POST['TPL_rate']);
						}
						$arr['rate_num']++;
						$sql="UPDATE PHPAUCTIONXL_users SET rate_sum=".$arr['rate_sum'].", rate_num=".$arr['rate_num'].",reg_date=reg_date WHERE id=".intval($rated_id);						mysql_query ($sql);
						$sql="INSERT INTO PHPAUCTIONXL_feedbacks (rated_user_id, rater_user_nick, feedback, rate, feedbackdate, auction_id) VALUES (
								".intval($rated_id).",																
								'".addslashes($_POST['TPL_rater_nick'])."',
								'".addslashes($_POST['TPL_feedback'])."',
								".intval($_POST['TPL_rate']).", '".date("YmdHis")."',".intval($auction_id).")";
						mysql_query ($sql);
					}
				}
				$TPL_feedback="";
			} else {
				$TPL_err=1;
				$TPL_errmsg=$ERR_101;
			}
		} else {
			$TPL_err=1;
			$TPL_errmsg=$ERR_102;
		}
	} else {
		$TPL_err=1;
		$TPL_errmsg=$ERR_104;
	}
}


#// Get closed auctions with winners
$query = "SELECT a.auction, a.seller,  a.winner, a.bid, a.fee, b.id, b.current_bid,
					b.title
			  FROM 	PHPAUCTIONXL_winners a, PHPAUCTIONXL_auctions b
			  WHERE a.auction=b.id 
				AND (b.closed='1' OR b.closed='-1')
				AND b.suspended=0
				AND (a.fee in (0,3) OR '".$SETTINGS['invoicing']."'='y')
				AND a.winner='".$_SESSION['PHPAUCTION_LOGGED_IN']."'";
$res = @mysql_query($query);
$i=0;
if(!$res) {
	MySQLError($query);
	exit;
} else {
	while($row = mysql_fetch_array($res)) {
		$query = "SELECT * FROM PHPAUCTIONXL_feedbacks
					WHERE auction_id =".$row['id']."
					AND rated_user_id =". $row['seller']."
					AND (rater_user_nick ='".$_SESSION['PHPAUCTION_LOGGED_IN_USERNAME']."'
						OR rater_user_nick='autofeedback')";
		$resfeed=mysql_query($query);
		$hasfeed=mysql_num_rows($resfeed);
		if($hasfeed==0) {
			$AUCTIONIDS[$i]=$row['auction'];
			$AUCTIONS[$i] = $row['title'];
		
		#// Get seller's details
		$query = "SELECT nick,email FROM PHPAUCTIONXL_users WHERE id=".$row['seller'];
		$re_ = @mysql_query($query);
		if(!$re_) {
			MySQLError($query);
			exit;
		}
		$query = "SELECT quantity FROM PHPAUCTIONXL_bids
					  WHERE  bidder=".$_SESSION['PHPAUCTION_LOGGED_IN']."
					  AND  auction=".$row['auction']."
					  ORDER BY id DESC";
		$resq = @mysql_query($query);
		if(!$resq) {
			MySQLError($query);
			exit;
		}
		$WINORSELL[$i] = $MSG_25_0002;
		$WINNERORSELLER[$i] = $row['seller'];
		$BID[$i] = $row['bid'];
		$QTY[$i] = mysql_result($resq,0,"quantity");
		$WINNERORSELLER_NICK[$i] = mysql_result($re_,0,"nick");
		$WINNERORSELLER_EMAIL[$i++] = mysql_result($re_,0,"email");
		}
	}
}
$query = "SELECT a.auction, a.seller,  a.winner, a.bid, a.fee, b.id, b.current_bid,
					b.title
		  		FROM PHPAUCTIONXL_winners a,PHPAUCTIONXL_auctions b
			  WHERE a.auction=b.id 
				AND (b.closed='1' OR b.closed='-1')
				AND b.suspended=0
				AND (a.fee in (0,2) OR '".$SETTINGS['invoicing']."'='y')
				AND a.seller=".$_SESSION['PHPAUCTION_LOGGED_IN'];
$res = @mysql_query($query);
if(!$res) {
	MySQLError($query);
	exit;
} else {
	while($row = mysql_fetch_array($res)) {
		$query = "SELECT * FROM PHPAUCTIONXL_feedbacks
					WHERE auction_id =".$row['id']."
					AND rated_user_id = ".$row['winner']."
					AND (rater_user_nick = '".$_SESSION['PHPAUCTION_LOGGED_IN_USERNAME']."'
						OR rater_user_nick='autofeedback')";
		$resfeed=mysql_query($query);
		$hasfeed=mysql_num_rows($resfeed);
		if($hasfeed==0) {
			$AUCTIONIDS[$i]=$row['auction'];
			$AUCTIONS[$i] = $row['title'];
			
			#// Get seller's details
			$query = "SELECT nick,email FROM PHPAUCTIONXL_users WHERE id=".$row['winner'];
			$re_ = @mysql_query($query);
			if(!$re_) {
				MySQLError($query);
				exit;
			}
			$query = "SELECT quantity FROM PHPAUCTIONXL_bids
					  WHERE  bidder=".$row['winner']."
					  AND  auction=".$row['auction']."
					  ORDER BY id DESC";
			$resq = @mysql_query($query);
			if(!$resq) {
				MySQLError($query);
				exit;
			}elseif(mysql_num_rows($resq) > 0) {
				$WINORSELL[$i] = $MSG_25_0001;
				$WINNERORSELLER[$i] = $row['winner'];
				$BID[$i] = $row['bid'];
				$QTY[$i] = mysql_result($resq,0,"quantity");
				$WINNERORSELLER_NICK[$i] = mysql_result($re_,0,"nick");
				$WINNERORSELLER_EMAIL[$i++] = mysql_result($re_,0,"email");
			}
		}
	}
}
$TPL_rater_nick=$_SESSION["PHPAUCTION_LOGGED_IN_USERNAME"];
require("header.php");
include phpa_include("template_sellbuyfeedback_php.html");
include "./footer.php";

?>
